-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 On 05. nov. 2013 03:29, jack seth wrote: > ---------------------------------------- >> Date: Tue, 5 Nov 2013 00:51:33 +0100 From: >> openvpn.l...@topphemmelig.net To: bird_...@hotmail.com CC: >> openvpn-users@lists.sourceforge.net Subject: Re: [Openvpn-users] >> Can't connect using tls-cipher >> TLS-SRP-SHA-DSS-WITH-AES-256-CBC-SHA >> >> On 04/11/13 21:59, jack seth wrote: >>> ---------------------------------------- >>>> Date: Mon, 4 Nov 2013 14:55:53 +0100 From: >>>> openvpn.l...@topphemmelig.net To: bird_...@hotmail.com >>>> Subject: Re: [Openvpn-users] Can't connect using tls-cipher >>>> TLS-SRP-SHA-DSS-WITH-AES-256-CBC-SHA >>>> >>>> On 04/11/13 04:17, jack seth wrote: >>>>> I can't connect to my openvpn server using the option >>>>> 'tls-cipher TLS-SRP-SHA-DSS-WITH-AES-256-CBC-SHA'. This is >>>>> the only change I made to the server and client configs. >>>>> They were working perfectly before this. Here are the >>>>> relevant log info >>>>> >>>>> Client log Sun Nov 03 21:00:26 2013 OpenVPN 2.3.2 >>>>> i686-w64-mingw32 [SSL (OpenSSL)] [LZO] [PKCS11] [eurephia] >>>>> [IPv6] built on Aug 22 2013 Enter Management Password: Sun >>>>> Nov 03 21:00:26 2013 MANAGEMENT: TCP Socket listening on >>>>> [AF_INET]127.0.0.1:25340 Sun Nov 03 21:00:26 2013 Need hold >>>>> release from management interface, waiting... Sun Nov 03 >>>>> 21:00:26 2013 MANAGEMENT: Client connected from >>>>> [AF_INET]127.0.0.1:25340 Sun Nov 03 21:00:26 2013 >>>>> MANAGEMENT: CMD 'state on' Sun Nov 03 21:00:26 2013 >>>>> MANAGEMENT: CMD 'log all on' Sun Nov 03 21:00:26 2013 >>>>> MANAGEMENT: CMD 'hold off' Sun Nov 03 21:00:26 2013 >>>>> MANAGEMENT: CMD 'hold release' Sun Nov 03 21:00:27 2013 >>>>> Control Channel Authentication: using 'c:\Program Files >>>>> (x86)\OpenVPN\config\ta.key' as a OpenVPN static key file >>>>> Sun Nov 03 21:00:27 2013 Outgoing Control Channel >>>>> Authentication: Using 256 bit message hash 'SHA256' for >>>>> HMAC authentication Sun Nov 03 21:00:27 2013 Incoming >>>>> Control Channel Authentication: Using 256 bit message hash >>>>> 'SHA256' for HMAC authentication Sun Nov 03 21:00:27 2013 >>>>> Socket Buffers: R=[8192->8192] S=[8192->8192] Sun Nov 03 >>>>> 21:00:27 2013 MANAGEMENT:>STATE:1383534027,RESOLVE,,, Sun >>>>> Nov 03 21:00:27 2013 UDPv4 link local: [undef] Sun Nov 03 >>>>> 21:00:27 2013 UDPv4 link remote: >>>>> [AF_INET]**.**.**.232:1194 Sun Nov 03 21:00:27 2013 >>>>> MANAGEMENT:>STATE:1383534027,WAIT,,, Sun Nov 03 21:00:27 >>>>> 2013 MANAGEMENT:>STATE:1383534027,AUTH,,, Sun Nov 03 >>>>> 21:00:27 2013 TLS: Initial packet from >>>>> [AF_INET]**.**.**.232:1194, sid=cc4ea058 9f0a9c59 Sun Nov >>>>> 03 21:00:57 2013 [UNDEF] Inactivity timeout >>>>> (--ping-restart), restarting Sun Nov 03 21:00:57 2013 >>>>> SIGUSR1[soft,ping-restart] received, process restarting Sun >>>>> Nov 03 21:00:57 2013 >>>>> MANAGEMENT:>STATE:1383534057,RECONNECTING,ping-restart,, >>>>> Sun Nov 03 21:00:57 2013 Restart pause, 2 second(s) Sun Nov >>>>> 03 21:00:58 2013 SIGTERM[hard,init_instance] received, >>>>> process exiting Sun Nov 03 21:00:58 2013 >>>>> MANAGEMENT:>STATE:1383534058,EXITING,init_instance,, >>>>> >>>>> Server log Wed Dec 31 18:00:59 1969 OpenVPN 2.3.2 >>>>> mipsel-unknown-linux-gnu [SSL (OpenSSL)] [LZO] [EPOLL] [MH] >>>>> [IPv6] built on Oct 22 2013 - - Sun Nov 3 20:59:29 2013 >>>>> Initialization Sequence Completed Sun Nov 3 21:00:26 2013 >>>>> 192.168.1.116:51126 TLS: Initial packet from >>>>> [AF_INET]192.168.1.116:51126, sid=9edfecdb 4157f6ff Sun Nov >>>>> 3 21:00:26 2013 192.168.1.116:51126 TLS_ERROR: BIO read >>>>> tls_read_plaintext error: >>>>> error:1408A0C1:lib(20):func(138):reason(193) Sun Nov 3 >>>>> 21:00:26 2013 192.168.1.116:51126 TLS Error: TLS object -> >>>>> incoming plaintext read error Sun Nov 3 21:00:26 2013 >>>>> 192.168.1.116:51126 TLS Error: TLS handshake failed Sun Nov >>>>> 3 21:00:26 2013 192.168.1.116:51126 SIGUSR1[soft,tls-error] >>>>> received, client-instance restarting >>>>> >>>>> >>>>> What does the TLS error mean? >>>> >>>> Seems the OpenSSL library on your server isn't compiled with >>>> error strings enabled. But you can use 'openssl errstr' on >>>> another computer to figure out this. >>>> >>>> $ openssl errstr 1408A0C1 error:1408A0C1:SSL >>>> routines:SSL3_GET_CLIENT_HELLO:no shared cipher >>>> >>>> So this sounds like there's a mismatch between your server >>>> and client config in regards to cipher parameters. >>>> >>>> >>>> -- kind regards, >>>> >>>> David Sommerseth >>> >>> >>> Thanks for the response. I'm confused by this because I am >>> using the exact same line in the server config and the client >>> config??? >> >> But does your OpenSSL library support the same ciphers on both >> sides? Does it --show-ciphers and --show-tls on both sides >> contain the ciphers you use in your config file? OpenVPN gets >> this error from OpenSSL, so this is obviously a configuration >> issue. >> >> And just to have that said, --show-ciphers lists what is possible >> to use with --cipher, while --show-tls lists what is possible to >> use with --tls-cipher. And you need to have a common value on >> both sides which OpenSSL on both sides supports. >> > > I ran the --show-tls on both the server and client. They both > have TLS-SRP-SHA-DSS-WITH-AES-256-CBC-SHA (client actually had > more options). I have this exactly in both config files however > it doesn't connect.
Well then, don't ignore the details Josh says about SRP: "By selecting an SRP authentication method, you are asking for a completely different mode of operation that is based on establishing a session encryption key based on passwords. This does not work in OpenVPN's context because the concept of a client or server's commonName is bound to the X.509 certificate field by the same name. Thus, you cannot use SRP with openvpn without significant modification to the openvpn program." <http://thread.gmane.org/gmane.network.openvpn.user/34488/focus=34493> - -- kind regards, David Sommerseth -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.15 (GNU/Linux) Comment: Using GnuPG with Thunderbird - http://www.enigmail.net/ iEYEARECAAYFAlJ4x6AACgkQDC186MBRfrq2KgCfZswYhqTDLUAKnwS86HwSTVMf SSIAn0PxVsCia6JIEQhZkjP7s30WQTV8 =ht9B -----END PGP SIGNATURE----- ------------------------------------------------------------------------------ November Webinars for C, C++, Fortran Developers Accelerate application performance with scalable programming models. Explore techniques for threading, error checking, porting, and tuning. Get the most from the latest Intel processors and coprocessors. See abstracts and register http://pubads.g.doubleclick.net/gampad/clk?id=60136231&iu=/4140/ostg.clktrk _______________________________________________ Openvpn-users mailing list Openvpn-users@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/openvpn-users
